[Gambas-user] Test Module, First try

Brian G brian at westwoodsvcs.com
Fri Aug 14 23:20:52 CEST 2020


Hi,

The ide if used to build an installation package, seems to always install the library to a subdirectory of the /usr/lib/gambas3 by default ... so I am a little confused?

1) I have to discover then where the ide gets the correct path during package generation... OK
2) My Hacker mind sees many ways but, your right I think I will forget about security stuff
3) I am not using absolute paths unless I need a default. using XDG_DATA_HOME and XDG_DATA_DIRS if available now
   The entry gbs3 makes into the .project file is an absolute path after it locates the correct lib according to the search order.
   This path is regenerated upon each execution of the script.
4) It looks like I have some homework reading to do this weekend...lol
5) And a final search point as the /usr/bin directory, or should it correctly be the $PATH if executables  can also be libraries?


Thanks

Brian G

----- Original Message -----
From: "Brian" <brian at westwoodsvcs.com>
To: "Gambas mailing list" <user at lists.gambas-basic.org>
Sent: Friday, August 14, 2020 1:46:56 PM
Subject: Re: [Gambas-user] Test Module, First try

if they have a user account on a server and run a management script

Thank You
Brian G

----- Original Message -----
From: "Bruce" <adamnt42 at gmail.com>
To: "Gambas mailing list" <user at lists.gambas-basic.org>
Sent: Friday, August 14, 2020 1:36:36 PM
Subject: Re: [Gambas-user] Test Module, First try

Things you should be aware of:
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/index.html
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
https://en.wikipedia.org/wiki/Rpath and
https://www.tecmint.com/understanding-shared-libraries-in-linux/ (if you 
have a good browser thata eliminates ad-ware.

also /etc/ld.so.conf (which may contain "includes" like 
/etc/ld.so.conf.d/*.conf)

Have a nice weeked's reading! More inline below

rgrds
bruce

On 15/8/20 4:03 am, Brian G wrote:
> I am holding off on adding the /usr/bin directory as a possible source, it seems wrong to look for a library there.
See the FHS
> 
> I need some input here, I am thinking of having a directive for gambas scripts that prevent the usage of local libraries
> The reason I have for this is that it would be supper easy to simply hijack a script that is being used for production management with a local library which could be customized to do bad things if the script is being run with sudo privileges.
AFAIR, the security fraternity generally frowns upon having user home 
directories upon production systems. :-)
So, I wouldn't sweat on this one too much.
> 
> if my script used library x.0.0.0 from the system /usr/lib/gambas3
> and someone makes a local lib in ~/.local/share/lib/gambas3 called x.0.0.0
> 
Again beware of using literal paths for shared library paths. Depending 
on the actual filesystem on a system, and all the other things I have 
mentioned, they could be anywhere.
For example, on our internal shared development server, system shared 
libraries (so's) are located in /usr/local/lib64/xxx/ where xxx is either:
null i.e. it points to the server system libraries
"dev" or "base" or "staged" which are directories containing actual so's 
or links to other places in /usr/local/lib64. Gambas shared libraries 
are in /usr/local/lib64 or in one of those subdirs when we are working 
on "our" version(s) of native gambas components. Then there is "our" 
components (custom controls and the like) these are in further sets of 
subdirs. Hmm, that was about as transparent as a brick wall! Suffice to 
say tha if I was looking for a shared library based on "/usr/lib/" I 
wouldn't find it or a specific version of it. "/usr/lib/" is for distro 
installed shared libraries not locally installed libraries.

> they just hijacked my script and have su privileges!!!
Only on their PC. Unless they can write a gambas program to log in to 
the server with executive privileges, which means they have the root 
password already, which means they don't have to.

> 
> It can't be a command line option as that can be overridden... or if the script is executes directly...
No, well yes I don't think so.

> 
> I don't know if this would also affect gambas apps, but i think you define the exact lib in the ide to be used for apps.
If I understand you here, I don't think this is an issue. It is 
important to have an understanding that the world inside the IDE is 
different to that of the gbx3/gbr3 world.  For example, the IDE uses 
your gambas libraries to provide autocompletion, help and compilation 
but not execution. It is gbx3 that goes looking for the actual shared 
library at runtime to dynamically load and link to it. I don't know what 
gbs3 does.

----[ http://gambaswiki.org/wiki/doc/netiquette ]----


More information about the User mailing list